On Thu, Nov 25, 2010 at 6:07 AM, Nils Anders Danielsson <n...@cs.nott.ac.uk> wrote:
> Is CPSA intended to be run by untrusted users (for instance with the > setuid bit set)? > > http://hackage.haskell.org/trac/ghc/ticket/3910 > http://www.amateurtopologist.com/2010/04/23/security-vulnerability-in-haskell-with-cgi/ Ah. This is the flaw that prompted the change. Interesting, for you see the src directory of the CPSA distribution includes scripts to run the suite of CPSA programs by a CGI script written in Python. The purpose of this mode of operation is to allow people to use CPSA without installing any software on their machine, except a standards compliant browser if they're on Windows. The CGI script is not security hardened, and only used on friendly, closed systems. But a key part of the setup is to bound the memory used by CPSA, and limit the number of copies running to one. The memory limit was set after a new user submitted a CPSA problem to the web server that consumed all the memory on the machine running the web server. The web server was running on the desktop machine I was using, so I knew instantly what had happened. I kicked myself because I already had learned to limit memory when invoking CPSA from the command line. John _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe